The criminal gang behind the covert backdoor, more_eggs, is using fake job offers tailored based on expert LinkedIn profile information. The criminal gang sells backdoor access to infected systems to cybercriminals such as FIN6, Evilnum, and Cobalt Group, which attack companies in a variety of industries.
Spear phishing using LinkedIn information
In a recent attack discovered by researchers at managed detection and response company eSentire, the attacker tricked experts in the medical technology industry with phishing emails. The phishing email contained fake job offers offering the same job the attacked expert had posted on his LinkedIn profile page. In the security industry, this criminal organization called Golden Chickens has used the same tricks in the past.
The email in question contains a zip file named after the job title you are proposing. Opening this file launches a malicious component called VenomLNK (VenomLNK), which is the first step in more_eggs infection.
In a report, the Isentyre team said, “Golden Chickens sells backdoors to other cybercriminals in the form of MaaS as a service. When more_eggs is deployed on the victim’s computer system, customers of Golden Chickens enter the system and infect them with any type of malicious code such as ransomware, authentication information theft tool, and banking malicious code, or enter the network with this backdoor to access the data. It can be leaked.”
Venom LNK, running on the victim’s computer, uses the Windows Management Tools (WMI), a subsystem of Farwishell, to deploy a malware loader called TerraLoader, the second stage of the attack.
Terraloader hijacks two normal Windows processes, cmstp and regsvr32, and loads the final payload, TerraPreter. Downloaded from a server hosted on Amazon AWS, the Terrapreter is deployed as an ActiveX control, bypassing network filters. ActiveX is a framework that allows code execution through Internet Explorer, and is supported natively on Windows.
Terraloader distributes and opens a Microsoft Word document designed to look like a normal job application. This document is nothing more than a bait to keep users from opening an email attachment and then making any suspicions.
The Terrapreter payload signals the attacker’s C&C server to indicate that it is successfully deployed and ready to receive commands. The attacker could then use the Terrapreter to gain access to the victim’s computer and distribute plug-ins or additional malware payloads.
“More_eggs provides these process commands through script files while maintaining hidden state by exploiting normal Windows processes,” said Isentyre’s team. In addition, attack campaigns using this MaaS appear to be less common and more selective than typical malspam distribution networks.”
Golden Chickens’ strong customers
The Golden Chickens appears to be serving only a select, famous attacker. Among its customers is likely to include FIN6, a notorious financial cybercrime group that has been active since at least 2014. The group is known for targeting physical POS systems, and recently it is known to attack online payment systems to steal card data and sell them to the underground market.
FIN6 has been attacking companies in the retail, hospitality and catering sectors for several years, and in 2019 it was confirmed that it used more_eggs backdoors when attacking e-commerce companies. In another 2019 attack targeting multinational companies, FIN6 used fake job offers like this one as a phishing bait to lure corporate employees.
Another group known to use more_eggs is Evelnum. Evelnum has been known as a group that has attacked financial IT companies and securities trading platforms since 2018, and it is estimated that the industry also acts as a mercenary group selling hacker services. According to Isentyre, the Evelnum attacker attempts spear phishing at the target company’s employees with a malicious zip attachment containing the more_eggs backdoor.
The third cybercriminal organization reported to use more_eggs is the Cobalt Group, also known as Carbanak. The group specializes in stealing money from banks and other financial institutions, and is known for its meticulous scouting and patience. Prior to launching an attack, they may analyze custom applications and workflows within the network for several months.
Given the type and skill level of groups using more_eggs, if your network is infected with this backdoor, you should take it very seriously and conduct a full forensic investigation. Attackers may have already penetrated critical systems and are preparing to launch more serious attacks, or may be stealing sensitive information. [email protected]